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Abstract 

Given n = e N with p and q prime and y G Z* . Shor's algorithm 
computes the order of y. 

if = 1 (mod n), 

and \i r — 2k, we get 

- l){y' + 1) = (mod n). 

Assuming that y'' ^ —1 (mod n), we can easily compute a non trivial factor 
of n: 

gcd(y'"' - l,n). 

In jShor | it is shown that a randomly chosen y is usable for factoring with 
probability at least |. In this paper we will show an efficient possibility to 
improve the lower bound of this probability by selecting only special y G Z* . 
The lower bound of the probability using only this y as an input for Shor's 
algorithm is | , so we have reduced the fault probability in the worst case from 
i to i. 

Preprocessing for Shor's Algorithm 

The following lemma is the starting point of our discussion: 

Lemma 1 Let n = pq with p, q prime. Then at least half of the y £ satisfy 
the following conditions: 

The order r of y is even, i.e. 3k with r = 2k (1) 
y*" ^ -1 (mod n) (2) 

If p — 1 = 2"s and g — 1 = 2'"s, with m, s odd, the probability is exactly given 
by 

/ min{m,n} — 1 

r,-(m+n) I , I 




The easy but helpful observation in order to improve this lower bound is 
the following lemma. 

Lemma 2 Let p be a prime and a a non-square in Z*. Then the order of a 
is even. 

Proof: Let <; be a generator of Zp and a = g" . As a is a non-square it 
follows that s is odd. The order of a satisfies ordp(a)s = mod p — 1 i.e. 
ordp(a)s = k{p — 1), and that means that ordp(a) has to be even. 

An element y in has even order, if y has even order in Zp or Z,. This 
yields to the following corrolary: 



Corollary 3 Let y be any element in Z* . Then 

— ) = — 1 => 3fc such that ordn(j/) ~ '2k 



As the Jacobi-Symbol is efficiently computable, we now have a sufficient cri- 
terion for an element to have even order. 

Putting this together with the condition that y 7^ —1 we get our main 
theorem: 

Theorem 4 The probability that a random j/ G Z* with (^) = —1 satisfies 
oxdniy) = 2A; and y'' ^ —1 (mod n) 

is at least |. 

To proof the theorem we need: 

Lemma 5 Let p be prime with p — 1 — 2™x, x odd. Further let g be a 
generator of 1*^ and b G Zp. 

1. For k e {1, ...,m}: 

ord,i(6) — 2''w,w odd <^ b = g^'^ odd 

In particular there are 2''^^x elements of this form. 

2. The order of b is odd, if and only if b — g^ ™ with I < w < x in 7j*. 
There are exactly x elements with odd order. 

Proof: 

1. Let b = g" and t be the order of 6. This is equivalent with st = mod 
(p — 1), t minimal. That means. 



gcd(p- l,s) 



If t is of the form 2'=w {w odd), 2™-*^ divides s but 2'""'=+^ does not.This 
proves the statement. 

2. The order t is odd, iff 2™ divides s, and this means that s is s = 2'^w 
with 1 < w < x. 



Proof of the theorem: We are going to count the elements y with 
(^) = —1 not satisfying the condition (g). Due to corollary ^ we know that 
the order of y in Z* is even, i.e. ord„(y) = 2k. We denote s = ordp(y) — 2^v 
and t = ordq(j/) = 2^w with v,w odd. In particular 2k = 2™''''^''^' lcm(«, w). 
The y we are counting fulfill y^ = —1 mod n and this is equivalent to y^ = 
— 1 mod p and y^ — —1 mod q. But this means that neither s nor t divides k 
(because otherwise for example j/* = y'^" = 1 mod p) and it follows that i — j. 
{D = -1 means, that (^|) = -1 and (^|) = 1 or (^|) = 1 and (^|) = -1. 
W.l.o.g we assume the first case is true: 

Let p — 1 = 2"^'^xi and gp be a generator of Z*, then j = — 1 if and only 

y ~ gp for odd ti. So we have to count all the odd ti, such that the order 
oi y — is of the form 2'v, v odd. With lemma ^ we conclude that only for 
i = mi such values ti can exist, and in this case all odd values between 1 and 
p — 1 lead to such an element. 

Now we have to discuss the elements with respect to q. Let q — l = 2'^^X2 
and gq be a generator of Z*. We have to count all the even values t2 where 
the order of g*^ if of the form 2"*^ w. When mi > m2, there are no such values 
because the order of (?*^ has to divide q — 1 = 2™^ 2:2. If mi = m2 there are no 
even solutions for t2. So the only case remaining is mi < m2. Due to lemma 
q the solutions are exactly the t2 of the form 2™^"'"^^ for u odd. Here u 



2 



can be any odd value between 1 and 2"^'^X2 — 1, so this gives exactly 2'"i~^a;2 
solutions. 

For the second case — 1 and — —1 we get the same result, so in 
the case mi / 7712 we can assume mi < m2 w.l.o.g.. 

Summing up all these values not satisfying the conditions (0) and ^ when 
mi / m2 we get: 

A(n) = P^2(™-^)a;2 - ^ 



2 2 2(^2 -mi+i) 



= —ipin)—, 7 

4^^^ ' 2{m2-mi) 

The number of elements with (^) — —1 is |</'(n) and so the probability we 
where looking for is: 

^ ' (p{n) 2("^2-mi+i) - 4 

The case mi = 1x12 is even better, because here the probability is 1 that means 
that y with (■^) = —1 always satisfies both conditions (|^) and (^). 
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